rule Windows_Exploit_Generic_e95cc41c {
    meta:
        author = "Elastic Security"
        id = "e95cc41c-6cad-4b9c-b647-3c60e6614e25"
        fingerprint = "78f78de7cee54107ee7c3de9b152ce3a242c1408115ab0950ccdfc278ed15a19"
        creation_date = "2024-02-28"
        last_modified = "2024-06-12"
        threat_name = "Windows.Exploit.Generic"
        reference_sample = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d"
        severity = 100
        arch_context = "x86"
        scan_context = "file"
        license = "Elastic License v2"
        os = "windows"
    strings:
        $s1 = "Got system privileges" nocase
        $s2 = "Got SYSTEM token" nocase
        $s3 = "Got a SYSTEM token" nocase
        $s4 = "] Duplicating SYSTEM token" nocase
        $s5 = "] Token Stealing is successful" nocase
        $s6 = "] Exploit completed" nocase
        $s7 = "] Got SYSTEM shell." nocase
        $s8 = "] Spawning SYSTEM shell" nocase
        $s9 = "we have a SYSTEM shell!" nocase
        $s10 = "Dropping to System Shell." nocase
        $s11 = "] Enjoy the NT AUTHORITY\\SYSTEM shell" nocase
        $s12 = "] SMEP is disabled" nocase
        $s13 = "] KUSER_SHARED_DATA"
        $s14 = "] Found System EPROCESS"
    condition:
        any of them
}

rule Windows_Exploit_Generic_008359cf {
    meta:
        author = "Elastic Security"
        id = "008359cf-5510-4f91-8cb1-7b4ff645bf2d"
        fingerprint = "3ef3b6bbe2141cb8ce47a5ee7c7531e72773d4dc4e478bb792c9230e4948db02"
        creation_date = "2024-02-28"
        last_modified = "2024-06-12"
        threat_name = "Windows.Exploit.Generic"
        reference_sample = "73225a3a54560965f4c4fae73f7ee234e31217bc06ff8ba1d0b36ebab5e76a87"
        severity = 100
        arch_context = "x86"
        scan_context = "file"
        license = "Elastic License v2"
        os = "windows"
    strings:
        $a1 = { C6 85 ?? 01 00 00 74 C6 85 ?? 01 00 00 58 C6 85 ?? 01 00 00 58 }
        $a2 = { C6 45 ?? 41 C6 45 ?? 66 C6 45 ?? 64 C6 45 ?? 4F C6 45 ?? 70 C6 45 ?? 65 C6 45 ?? 6E C6 45 ?? 50 C6 45 ?? 61 C6 45 ?? 63 C6 45 ?? 6B C6 45 ?? 65 C6 45 ?? 74 C6 45 ?? 58 C6 45 ?? 58 }
        $b1 = "NtCreateFile"
        $b2 = "\\Device\\Afd\\Endpoint" wide nocase
        $b3 = "\\Device\\Afd\\Endpoint" nocase
        $b4 = "NtDeviceIoControlFile"
    condition:
        1 of ($a*) and 3 of ($b*)
}

rule Windows_Exploit_Generic_8c54846d {
    meta:
        author = "Elastic Security"
        id = "8c54846d-07ee-43bc-93e1-72bf4162ab87"
        fingerprint = "9acb35c06a21e35639c8026a18e919329db82a0629a8e2267f1f4fe00b3bb871"
        creation_date = "2024-02-29"
        last_modified = "2024-06-12"
        threat_name = "Windows.Exploit.Generic"
        reference_sample = "b6ea4815a38e606d4a2d6e6d711e610afec084db6899b7d6fc874491dd939495"
        severity = 100
        arch_context = "x86"
        scan_context = "file"
        license = "Elastic License v2"
        os = "windows"
    strings:
        $a1 = { 5C 63 76 65 2D 32 30 ?? ?? 2D ?? ?? ?? ?? 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C }
        $a2 = { 5C 43 56 45 2D 32 30 ?? ?? 2D ?? ?? ?? ?? 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C }
        $a3 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C 43 56 45 2D 32 30 ?? ?? 2D ?? ?? ?? ?? ?? 2E 70 64 62 }
        $a4 = { 5C 52 65 6C 65 61 73 65 5C 43 56 45 2D 32 30 ?? ?? 2D }
        $a5 = "\\x64\\Release\\CmdTest.pdb"
        $a6 = "\\x64\\Release\\RunPS.pdb"
        $a7 = "X:\\tools\\0day\\"
        $a8 = "C:\\work\\volodimir_"
        $a9 = { 78 36 34 5C 52 65 6C 65 61 73 65 5C 65 78 70 6C 6F 69 74 2E 70 64 62 }
        $b1 = { 5C 43 56 45 2D 32 30 ?? ?? 2D }
        $b2 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C }
    condition:
        any of ($a*) or all of ($b*)
}

